We're migrating from a VPN solution to Cloudflare ZTNA as our always-on device protection solution. As part of this, I've been setting up Cloudflare connectors in all our AWS regions to enable private resource access — but I'm questioning whether that's actually necessary for our setup.
Goal:
Always on device protection and traffic monitoring(CloudFlare WARP does it already, AFAIK)
As we are replacing our vpn which helps us to connect to EC2 and RDS, the goal is similar to what we already have with our vpn. But Ive been asking myself, do I have to go through the process of setting ZTNA to access private networks in all our aws accounts and configure firewalls to put restrictions so that not everyone can access every vpc? Using SSM for EC2 and Application instance for RDS access seems to be solving all of these without any overhead
Our current setup:
SSM for EC2 access — no SSH over VPN needed
RDS access is restricted to the application server only
Cloudflare WARP is replacing the current VPN for always-on device protection
What I'm questioning:
We're spending effort deploying Cloudflare connectors in every AWS region to enable private network access through ZTNA. But I'm struggling to see the actual gap it fills, given:
SSM handles EC2 access — no VPN or connector needed
RDS is only accessible from the application EC2 — no direct developer access needed
No internal apps that are only accessible through a private network
AWS infrastructure access is through AWS SSO + Okta — disable Okta, everything is revoked
My question:
For those using ZTNA for private resource access — what specific use case is it solving that SSM + AWS SSO doesn't already cover? Am I missing a scenario that will bite me later?
Genuinely trying to understand if I'm oversimplifying or if connectors are unnecessary complexity for our setup.